2团
Published on 2024-08-16 / 9 Visits
0
0

Firewalld设置

1. 背景

项目上有些服务器是CentOS,使用firewalld作为防火墙。

经常需要对firewalld进行设置,故此记录一下。

2. 启动firewalld

# 启动防火墙
systemctl start firewalld.service
# 设置开机启动防火墙
systemctl enable firewalld.service
# 停止防火墙/关闭防火墙
systemctl stop firewalld.service

3. 开放/删除-访问规则

# 开放80端口供TCP访问(--permanent:持久化;--zone:规则作用域)
firewall-cmd --zone=public --add-port=80/tcp --permanent
# 删除端口访问(区别仅在于--add-port修改为--remove-port)
firewall-cmd --zone=public --remove-port=8898/tcp --permanent

# 开放8888端口供192.168.157.10主机通过TCP访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.157.10" port protocol="tcp" port="8888" accept"
# 开放18888端口供192.168.2.14/25网段主机通过TCP访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.2.14/25" port protocol="tcp" port="18888" accept"
# 删除添加的规则(区别仅在于--add-rich-rule修改为--remove-rich-rule)
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.157.10" port protocol="tcp" port="8888" accept"

# 注意,需要执行如下命令,规则方能生效
firewall-cmd --reload

4. 查看策略

# 查看防火墙规则(显示public作用域的策略)
firewall-cmd --list-all
# 查看所有的防火墙策略(显示所有域的策略)
firewall-cmd --list-all-zones
# 查看所有开放的端口
firewall-cmd --list-ports

还有种方式:

[root@stress5 zones]# cd /etc/firewalld/zones/
[root@stress5 zones]# ll
total 8
-rw-r--r--  1 root root 723 Nov  3 12:32 public.xml
-rw-r--r--. 1 root root 598 Nov  3 11:37 public.xml.old
# 因为当前设置局限于public区域,因此仅包含public.xml(可直接修改,执行firewall-cmd --reload即可生效)
[root@stress5 zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mdns"/>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="192.168.1.1/24"/>
    <port port="22" protocol="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.1.1/24"/>
    <port port="18888" protocol="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.2.14/25"/>
    <port port="18888" protocol="tcp"/>
    <accept/>
  </rule>
  <forward/>
</zone>

5. 高级用法

# 拒绝192.168.8.101的所有流量(注意作用域是work)
firewall-cmd --permanent --zone=work --add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'

# 接受192.168.1.0/24子网端口范置8000-9000的TCP流量 
firewall-cmd --permanent --one=work --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept'

# 丢弃所有icmp包 
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'

# 接受来自192.168.8.1的http流量,并记录日志(日志前缀使用NEW HTTP)
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name="http" log level=notice prefix= "NEW HTTP" limit value "3/s" accept'

更多使用指南可参考:CentOS 上的 FirewallD 简明指南


Comment